Zero Trust Cybersecurity

Zero Trust Cybersecurity

A colleague shared a valuable insight with me:Zero Trust cybersecurity is not just a destination but a continuous journey’ – Andy. Implementing Zero Trust is about evolving your security strategy over time, refining controls, and adapting to new threats. It’s a long-term commitment to ensuring that trust is always earned, never assumed, and that security measures remain dynamic in the face of constantly shifting risks.

In recent years, Zero Trust has become a critical security framework for defending against modern cyber threats. The National Institute of Standards and Technology (NIST) has formalized this approach in NIST SP 800-207, which outlines the core tenets of Zero Trust. Meanwhile, the Center for Internet Security (CIS) Controls v8 provides actionable steps to strengthen an organization’s cyber defense, many of which align with the Zero Trust principles defined by NIST. Understanding how these two frameworks relate can help organizations implement Zero Trust more effectively while adhering to CIS best practices.

Mapping CIS Controls v8 to NIST SP 800-207 Zero Trust Tenets

The table below maps key tenets of Zero Trust as outlined by NIST SP 800-207 to specific CIS Controls v8. This mapping helps organizations understand how to leverage the CIS framework to implement a Zero Trust architecture.

1. “All Data Sources and Computing Services Are Considered Resources”

This mapping highlights how specific CIS Controls v8 can be used to implement and support the Zero Trust tenet that “All Data Sources and Computing Services Are Considered Resources” as outlined in NIST SP 800-207. These controls provide actionable guidance to ensure that every data source, application, service, and device is treated as a critical resource requiring strict access controls.

CIS Control 01: Inventory and Control of Enterprise Assets

    • Description: Organizations must maintain an accurate inventory of all devices (assets) connected to the network, ensuring that only authorized devices can access sensitive resources.

    • Zero Trust Alignment: This control supports the tenet by ensuring that all endpoints, servers, IoT devices, and other computing services are treated as resources, monitored, and managed. Access to these devices is controlled through explicit verification.

      Example: A Zero Trust architecture continuously monitors devices connected to the network. If a new, unrecognized device attempts to access resources, access is denied until the device is authorized.

CIS Control 02: Inventory and Control of Software Assets

    • Description: This control focuses on identifying and managing authorized and unauthorized software to ensure only secure, approved applications are allowed to execute within the network.

    • Zero Trust Alignment: All software applications, whether cloud-based or on-premises, are considered resources. Access to these software resources is explicitly controlled and monitored, ensuring that only verified, secure applications can interact with the organization’s data and computing resources.

      Example: Applications are treated as resources in a Zero Trust environment, meaning an application like a customer relationship management (CRM) system will only be accessible after verifying the user’s role, identity, and the security posture of the device.

CIS Control 11: Data Recovery

    • Description: This control focuses on ensuring that an organization can recover from a cybersecurity incident, such as data loss or corruption, by maintaining secure and reliable data backups. This control is designed to minimize the impact of cyberattacks, hardware failures, or other disruptions by having robust recovery procedures in place. The goal is to ensure that critical data can be restored quickly and securely in the event of an incident.

    • Zero Trust Alignment: Backups are considered critical resources that must be protected. Whether stored locally, offsite, or in the cloud, all backup systems and data are treated as resources requiring strict access controls, authentication, and continuous monitoring. Backup systems should be subject to the same security scrutiny as primary systems.

      Example: Backup files stored in a cloud environment, such as AWS or Azure, are encrypted, and access is tightly controlled. Even authorized administrators must go through multi-factor authentication (MFA) and device posture checks before they can interact with the backup data.

CIS Control 15: Service Provider Management

    • Description: This control focuses on ensuring that third-party service providers (such as cloud providers, managed service providers, and IT vendors) are securely managed. This control emphasizes defining, monitoring, and enforcing security requirements for third parties that have access to or manage critical data, systems, and services. The aim is to reduce the risks associated with outsourcing services and handling sensitive information to external vendors.

    • Zero Trust Alignment: Third-party service providers are treated like any other resource or entity—no implicit trust is given. Service providers must meet the same stringent security standards as internal systems, and their access to resources should be continually validated, monitored, and controlled.

      Example: A third-party vendor supporting a cloud application can only access the specific systems they manage, and access is automatically revoked after a predefined time window. They are granted access only when needed and are continually verified during their sessions.

2. All communication is secured regardless of network location.

The NIST SP 800-207 Zero Trust tenet “All communication is secured regardless of network location” emphasizes the importance of securing communications to protect data integrity and confidentiality, regardless of where the communication originates or terminates. Below is a mapping of relevant CIS Controls v8 to this specific Zero Trust tenet.

CIS Control 03: Data Protection

    • Description:
      CIS Control 3 focuses on protecting sensitive data through proper handling, encryption, and access controls. This control emphasizes the need to classify data based on its sensitivity and implement security measures to ensure that data is securely stored, transmitted, and accessed.
    • Zero Trust Alignment:
      In a Zero Trust framework, all data is treated as a critical resource requiring strict access controls. Access to data is based on user roles, and all interactions with sensitive data are continuously monitored and logged. Data is always encrypted both at rest and in transit to ensure protection against unauthorized access or breaches.
    • Example:
      An organization implements end-to-end encryption for all sensitive customer data in its database. Even authorized users must use secure access protocols (such as TLS) to retrieve this data, ensuring that it is protected during transmission and only accessible through verified connections.

CIS Control 04: Secure Configuration of Enterprise Assets and Software

    • Description:
      CIS Control 4 emphasizes the importance of securely configuring hardware and software to reduce vulnerabilities. This involves maintaining an inventory of assets, applying secure configurations, and regularly reviewing and updating these configurations.
    • Zero Trust Alignment:
      In a Zero Trust model, every device and software component is treated as a potential threat. Secure configurations are applied rigorously, and devices are continuously monitored for compliance with security policies. Access to systems is granted based on strict authentication and validation, ensuring only properly configured and compliant devices can connect to the network.
    • Example:
      An organization establishes baseline configurations for all operating systems and applications across its network. Any deviations from these configurations, such as unpatched software or unauthorized changes, are flagged, and access is denied until compliance is restored.

CIS Control 16: Application Software Security

    • Description:
      CIS Control 16 focuses on ensuring that software applications are developed and maintained securely. This includes implementing security practices during the software development lifecycle (SDLC), regular security testing, and vulnerability management.
    • Zero Trust Alignment:
      In the Zero Trust architecture, application security is paramount. Applications are treated as critical resources that require continuous assessment and validation. Regular security testing, such as penetration testing and code reviews, ensures that applications are secure against threats. Access to applications is tightly controlled, with users authenticated and authorized based on their roles.
    • Example:
      A development team employs static and dynamic application security testing (SAST and DAST) tools throughout the SDLC to identify vulnerabilities before deployment. Even after deployment, access to the application is restricted to authenticated users, and ongoing monitoring detects any suspicious activity.

3. Access to individual enterprise resources is granted on a per-session basis.

The NIST Zero Trust tenet “Access to individual enterprise resources is granted on a per-session basis” emphasizes that access to resources should be evaluated and granted dynamically for each session rather than relying on long-term permissions or roles. This approach recognizes that user needs and threat landscapes can change rapidly, requiring a more granular and flexible access control strategy. Below is a mapping of relevant CIS Controls v8 to this specific Zero Trust tenet.

CIS Control 05: Account Management

    • Description:
      CIS Control 5 focuses on managing user accounts effectively throughout their lifecycle, including creation, management, and deletion. This control emphasizes the importance of having an inventory of user accounts, assigning roles and privileges appropriately, and ensuring that accounts are regularly reviewed and deactivated when no longer needed.
    • Zero Trust Alignment:
      In a Zero Trust architecture, account management is crucial for establishing a strong security posture. Each account is treated as a potential entry point for threats, and as such, it is essential to implement strict controls over account creation, maintenance, and deletion. Continuous monitoring and periodic review of accounts help ensure that only legitimate users have access to resources, and any anomalous activity is detected and addressed promptly.
    • Example:
      An organization employs automated provisioning and deprovisioning tools to manage user accounts. When an employee leaves the company, the system automatically disables their account and revokes access to all resources within minutes. Additionally, regular audits of user accounts are conducted quarterly to ensure that only active and necessary accounts remain, minimizing the risk of unauthorized access.

  • CIS Control 06: Access Control Management

    • Description:
      CIS Control 6 emphasizes the implementation of access controls to manage user permissions based on the principle of least privilege. This control involves ensuring that users have access only to the resources they need for their job functions while preventing unnecessary access to sensitive data or systems.
    • Zero Trust Alignment:
      In a Zero Trust framework, access control is fundamental. Every access request must be verified, authenticated, and authorized, regardless of the user’s location or device. The principle of least privilege is strictly enforced, meaning users are only granted access to the specific resources they need, and this access is continually monitored and adjusted based on user behavior and context.
    • Example:
      An organization utilizes a role-based access control (RBAC) system to manage permissions. For instance, a finance department employee can access financial records and systems but cannot access human resources data. Access rights are reviewed regularly, and any unusual access patterns, such as an employee attempting to access sensitive files outside their role, trigger alerts for further investigation.

4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.

The NIST Zero Trust tenet “Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes” highlights that access decisions are not static but rather based on real-time evaluations of various factors. This approach ensures that access is granted based on the current context, which includes the identity and security posture of the user, the nature of the application or service being accessed, the device’s health, and other behavioral indicators such as login patterns or geolocation. By continuously assessing these attributes, organizations can apply adaptive access controls that enhance security by dynamically adjusting permissions based on the changing threat landscape and user behavior, ensuring that only legitimate requests receive access to sensitive resources.

  • CIS Control 13: Network Monitoring and Defense

    • Description:
      CIS Control 13 focuses on the continuous monitoring of networks to detect, respond to, and mitigate security threats. This control emphasizes the importance of implementing tools and processes to monitor network traffic, analyze logs, and detect anomalies or suspicious activities in real-time. The aim is to identify potential threats and vulnerabilities proactively, allowing organizations to take swift action to defend their networks.
    • Zero Trust Alignment:
      In a Zero Trust architecture, network monitoring and defense are critical components. Every network transaction and communication is treated with suspicion, and continuous monitoring helps to validate the integrity of these interactions. Rather than assuming that internal traffic is safe, organizations implement monitoring solutions that analyze all network activity, regardless of its origin or destination. This ongoing scrutiny helps to detect unauthorized access attempts, data exfiltration, and other malicious behaviors promptly.
    • Example:
      An organization deploys a Security Information and Event Management (SIEM) system to continuously monitor network traffic and log data. This system analyzes patterns and anomalies in real-time, generating alerts when it detects unusual behavior, such as multiple failed login attempts from a single user account or data being sent to an unrecognized external IP address. The security team can then respond immediately to investigate the alert and take appropriate actions to mitigate any potential threats.

5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.

The NIST Zero Trust tenet “The enterprise monitors and measures the integrity and security posture of all owned and associated assets” emphasizes the importance of continuous visibility and assessment of all assets within the organization’s network. This involves implementing tools and processes to monitor the health, configuration, and security status of hardware, software, and data assets in real-time. By regularly evaluating these assets against established security baselines and policies, organizations can quickly identify vulnerabilities, detect unauthorized changes, and respond proactively to potential threats. This ongoing monitoring ensures that any deviations from expected security posture are addressed promptly, thereby enhancing overall resilience and maintaining a secure environment aligned with the principles of Zero Trust.

  • CIS Control 07: Continuous Vulnerability Managemen

    • Description:
      CIS Control 7 emphasizes the need for ongoing identification, evaluation, and remediation of vulnerabilities in systems and applications. This involves conducting regular scans and assessments to detect vulnerabilities, prioritizing them based on risk, and implementing patches and updates to mitigate threats.
    • Zero Trust Alignment:
      In a Zero Trust architecture, continuous vulnerability management is critical because it assumes that threats can originate from both inside and outside the network. Regular vulnerability assessments ensure that security teams can identify and address potential weaknesses before they can be exploited by malicious actors. This proactive approach complements the Zero Trust principle of assuming that any asset can be compromised.
    • Example:
      An organization implements a continuous vulnerability scanning tool that automatically scans its network for known vulnerabilities on a weekly basis. Upon detecting a vulnerability in an outdated application, the system generates an alert, prompting the IT team to prioritize patching efforts to secure the application before any potential exploitation can occur.

  • CIS Control 09: Email and Web Browser Protection

    • Description:
      CIS Control 9 focuses on implementing measures to protect users from email and web-based threats. This includes utilizing secure email gateways, web filtering, and ensuring that web browsers are configured securely to minimize exposure to risks such as phishing and malware.

    • Zero Trust Alignment:
      In a Zero Trust framework, protecting email and web traffic is essential because these are common vectors for attacks. By adopting an allow-list approach for web browsing and email, organizations can restrict access to only trusted sites and services, reducing the risk of exposure to malicious content. This aligns with the Zero Trust principle of minimizing attack surfaces and enforcing strict access controls.

    • Example:
      An organization configures its web filtering system to allow only a specific list of approved websites for its employees. When an employee attempts to access a non-approved site, the system blocks the request and alerts the user. This prevents access to potentially harmful sites that could compromise network security.

  • CIS Control 10: Malware Defenses (allow list approach for Zero Trust)

    • Description:
      CIS Control 10 focuses on implementing defenses against malware, including the use of allow lists (formerly known as whitelists) to permit only authorized applications and software to run on systems. This control helps to reduce the risk of malware infections by ensuring that only trusted programs can execute.

    • Zero Trust Alignment:
      In a Zero Trust model, employing an allow-list approach is a fundamental strategy for controlling application execution. By permitting only verified applications to run, organizations can significantly lower the likelihood of malware infiltration and unauthorized access. This approach reinforces the Zero Trust principle of continuously validating the security posture of applications and resources.

    • Example:
      An organization implements application control software that restricts execution to a predefined list of approved applications. When a user attempts to install or run an unauthorized application, the software prevents execution and logs the attempt for review by the security team. This ensures that only legitimate applications are used, minimizing the risk of malware infections.

6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.

The NIST Zero Trust tenet “All resource authentication and authorization are dynamic and strictly enforced before access is allowed” emphasizes that access to resources should be contingent on real-time verification of user identity and authorization levels. In this approach, authentication processes assess the user’s credentials and the context of their access request—such as location, device health, and behavior—before granting permission to access resources. This dynamic model ensures that access decisions are continually evaluated and can adapt based on changes in context or security posture, preventing unauthorized access and reducing the risk of breaches. By enforcing strict access controls, organizations can maintain a heightened security posture and respond effectively to evolving threats.

  • CIS Control 06: Access Control Management (Advanced capability)
    • Description:
      CIS Control 06 (Advanced Capability) focuses on implementing more sophisticated access control mechanisms beyond basic user authentication and role-based access control (RBAC). This includes advanced techniques such as context-aware access, behavioral analytics, and automated policy enforcement to ensure that only authorized users can access specific resources at any given time. The goal is to adaptively manage access rights based on various contextual factors like user behavior, location, device security posture, and risk assessments.
    • Zero Trust Alignment:
      In a Zero Trust architecture, access control management is critical, as it operates under the principle that no user or device should be trusted by default, regardless of their location within or outside the network. Advanced access control mechanisms continuously validate user identities and the context of access requests before granting permissions. By leveraging real-time data and adaptive policies, organizations can enhance their security posture and minimize the risk of unauthorized access to sensitive resources.
    • Example:
      An organization employs a context-aware access control system that requires users to authenticate not only with their credentials but also through multi-factor authentication (MFA) when accessing sensitive data. If an employee typically accesses resources from the office but suddenly tries to log in from a different geographical location, the system prompts additional verification, such as a biometric scan or a one-time code sent to their mobile device. This adaptive approach ensures that access is granted only after confirming the user’s identity and the legitimacy of their request, thereby mitigating potential security risks.

7. The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

The NIST Zero Trust tenet “The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture” emphasizes the importance of continuous data collection and analysis to gain comprehensive visibility into the organization’s security landscape. This involves gathering detailed information on asset configurations, network traffic, user behavior, and potential vulnerabilities. By leveraging this data, organizations can identify anomalies, assess risks, and make informed decisions to strengthen their defenses. The insights gained from this ongoing monitoring enable enterprises to adapt their security measures dynamically, ensuring a proactive approach to managing threats and maintaining a robust security posture in a constantly evolving threat environment.

  • CIS Control 08: Audit Log Management

    • Description:
      CIS Control 8 focuses on the collection, management, and analysis of audit logs to monitor user activities, detect potential security incidents, and support compliance efforts. This control emphasizes maintaining comprehensive logs for systems, applications, and user actions to facilitate effective security monitoring and incident investigation.
    • Zero Trust Alignment:
      In a Zero Trust framework, robust audit log management is critical because it provides visibility into all user activities and system interactions. By continuously monitoring logs, organizations can detect anomalies or unauthorized access attempts in real-time, reinforcing the principle of assuming that threats can arise from both internal and external sources.
    • Example:
      An organization implements a centralized log management solution that aggregates logs from all network devices, applications, and user activities. Security analysts regularly review these logs for unusual patterns, such as failed login attempts or access to sensitive data outside normal business hours, enabling them to quickly investigate and respond to potential security incidents.

  • CIS Control 12: Network Infrastructure Management

    • Description:
      CIS Control 12 involves managing and securing the organization’s network infrastructure, including routers, switches, firewalls, and other network devices. This control emphasizes proper configuration, monitoring, and protection of network components to ensure secure communication and data transmission across the network.

    • Zero Trust Alignment:
      In a Zero Trust model, network infrastructure management is essential for creating segmented and controlled environments where access is strictly regulated. By ensuring that all network devices are properly configured and continuously monitored, organizations can minimize potential attack surfaces and enforce stringent access controls, validating every communication attempt before granting access.
    • Example:
      An organization conducts regular audits of its network devices to ensure they are configured according to security best practices. For instance, they implement VLAN segmentation to isolate sensitive data traffic from other network segments. Any configuration changes are logged and reviewed to ensure compliance with security policies.

  • CIS Control 17: Incident Response Management

    • Description:
      CIS Control 17 focuses on establishing and maintaining an effective incident response capability. This includes developing incident response plans, conducting regular training and exercises, and ensuring that appropriate resources are available to respond promptly to security incidents.
    • Zero Trust Alignment:
      In a Zero Trust architecture, a well-defined incident response management process is crucial for quickly addressing potential breaches or security events. Given that Zero Trust operates under the assumption that threats may exist both internally and externally, having a robust incident response plan helps organizations respond effectively to various scenarios, minimizing damage and restoring security swiftly.

    • Example:
      An organization develops an incident response plan that outlines the steps to take in the event of a suspected data breach. This plan includes clear roles and responsibilities, communication protocols, and escalation procedures. Regular tabletop exercises are conducted to ensure that the incident response team is familiar with the plan and can execute it effectively under pressure. 

  • CIS Control 18: Penetration Testing

    • Description:
      CIS Control 18 emphasizes the importance of conducting regular penetration tests to identify vulnerabilities and weaknesses in an organization’s security posture. This proactive approach helps organizations understand their defenses from an attacker’s perspective and take necessary actions to mitigate risks.
    • Zero Trust Alignment:
      In a Zero Trust framework, penetration testing is critical for validating the effectiveness of security controls and access policies. Regular testing simulates real-world attack scenarios, helping organizations to discover potential vulnerabilities in their systems, applications, and network configurations. This aligns with the Zero Trust principle of continuously assessing and validating security measures to maintain a strong defense.
    • xample:
      An organization hires an external security firm to conduct a penetration test of its web applications and network infrastructure. The test reveals vulnerabilities that could allow unauthorized access to sensitive data. Following the assessment, the organization prioritizes remediation efforts based on the test findings and implements additional security controls to fortify its defenses.